3 Working with Oracle WebCenter Collaboration Security

This chapter describes the security model used by Oracle WebCenter Collaboration. Oracle WebCenter Collaboration security is based on the use of roles and access levels. Additionally, activity rights are used to manage access to Oracle WebCenter Collaboration functionality. These concepts are described in the following sections.

Project Security

Access to Oracle WebCenter Collaboration projects is set and managed through project roles. Roles control access levels and permissions for Oracle WebCenter Collaboration objects. Users are assigned to a project role, and the access level of the role determines the actions that the user can perform.

Project Roles

A portal user can access a project only when assigned a role in that project.

Oracle WebCenter Collaboration contains the following roles:

Table 3-1 Descriptions of Project Roles

Role

Description

Project Leader

The Project Leader role has Admin access for the project and its objects. Project Leaders can:

Create, edit, and delete project objects.

Set permissions for project objects.

Perform all project tasks.

Note: Portal administrators are default members of the Project Leader role and cannot be removed.

Project Member

By default, the Project Member role has Write access for the project and its objects.

Project Guest

By default, the Project Guest role has Read access for the project and its objects.

Role assignments are project-specific, and the same portal user can have different roles in different projects. Additionally, under the same role, users can have different permissions in different projects, because the role itself can have one set of permissions in one project and a different set of permissions in another.

Access Levels

All Oracle WebCenter Collaboration objects have five levels of access that can be assigned to them. These access levels are:

Admin

Edit

Write

Read

No Access

Each access level includes the rights of all lower access levels.

Each role in a project has an associated access level for each object type. A user's access level to an object or functional area is determined by his or her assigned role in the project.

Access Level Permissions Matrix

The following table shows what permissions each access level allows for each object type:

Table 3-2 Permissions Matrix

Object Type

Read

Write

Edit

Admin

Projects

View project

View announcements

View project

View announcements

View project

View announcements

Create, edit and delete announcements

Subscribe others

Events

View events

Notify other users about an event

Create events

Attach files, task lists, and discussions

Edit event properties

Configure event security

Delete events

Tasks

View task lists

Notify other users about a task list or task

Claim tasks (assign tasks to self)

Create tasks

Order tasks

Update task status for assigned tasks

Assign owners to tasks

Attach files and discussions

Copy task lists

Create task lists

Import and export task lists

Edit task list and task properties

Configure task list security

Delete task lists and tasks

Generate overdue task alerts

Move task lists

Subscribe others

Document Folders

View folders

Notify other users about changes to folder contents

Create new Microsoft Office documents directly in the project

Upload documents to folders

Assign a moderator to a folder

Copy folders

Create folders

Edit folder properties

Rename folders

Moderate a folder even though a different user is assigned as the moderator.

Note: Users with Admin access to document folders cannot perform this task on document folders that are not moderated.

Configure folder security

Delete folders

Move folders within the project

Subscribe others

Document Files

View documents

Notify other users about documents

View versions

Check documents in and out

Undo check-out

WebEdit

Attach task lists and discussions

Copy documents

Create shortcuts

Edit document properties

Publish documents to the Knowledge Directory

Revert documents to previous versions

Configure document security

Delete documents

Delete previous versions of the document

Move documents

Remove owner security settings from a document

Subscribe others

Discussions

View discussions

Notify other users about discussions

Post messages

Reply to messages

Assign a moderator to a discussion

Attach task lists and files

Copy discussions

Create new discussions

Export discussions

Edit discussion properties

Moderate a discussion even though a different user is assigned as the moderator

Note: Users with Admin access to discussions cannot perform this task on discussions that are not moderated.

Configure discussion security

Delete discussions and messages

Edit messages

Subscribe others

Wikis

View wiki pages

Create wiki pages

Add/remove attachments to/from wiki pages

Edit wiki pages

Revert wiki page to a previous revision

Delete revision of wiki page

N/A

No additional permissions

Blogs

View blog entries

Create blog entries

Add/remove attachments to/from own blog entries

Edit own blog entries

Delete own blog entries

Comment on blog entries

Delete comment on own blog entries

N/A

Edit any blog entry

Delete any blog entry

Delete comment on any blog entry

Default Project Security Settings

Oracle WebCenter Collaboration provides default security settings for the Project Members and Project Guests roles that are automatically applied to a project when it is created. However, Project Leaders can change the default security settings for their individual projects. For more information, see Changing Default Permissions for Roles.

Object-Level Security Settings

By default, all Oracle WebCenter Collaboration objects derive their security from the project security settings. Changes made to the project security settings apply immediately to all objects that are configured to inherit the default settings. Project Leaders can choose to disable project security inheritance and configure security directly on an object. When this project security is not inherited, an object retains its object-level security setting regardless of any changes made to the project security settings.

Note:

Blogs and wikis do not have object-level security settings. They always inherit the project security settings.

The access levels that can be assigned to Oracle WebCenter Collaboration objects are the same as those that can be set as the default security settings. Object-level security can be set for events, task lists, document folders, documents, and discussions.

Object Properties

Default Document Owner Security

A user who uploads a document, or other file, to a document folder is the owner of that file. By default, an owner has full control of the file and can perform all actions on the file.

Project leaders can remove default owner security settings from any file in the project. Additionally, users with Admin access to a file can remove default owner security settings from the file. You may want to remove owner security settings from a file if the owner is no longer participating in the project and consequently should not have high-level access privileges to the file.

To remove owner security settings from a file:

In the Documents application view page, select the check box of a file in the table pane.

From the Edit menu, select Properties.

The Property Editor appears.

Click the Security tab.

Select Permanently remove owner security settings from this document.

Click Finish.

Setting Content Crawler Access to Folders

By default, the contents of a folder -- including the contents of all of its subfolders -- are visible to Oracle WebCenter Collaboration content crawlers for importing into the Knowledge Directory. When a folder is inaccessible to content crawlers, its contents can still be manually published to the Knowledge Directory.

To set content crawler accessibility for a folder:

Select a project in the My Projects or Community Projects portlet.

Click the Documents tab in the application view.

Select the check box of a folder in the table pane.

From the Edit menu, select Properties.

Perform one of the following tasks:

To make the document folder accessible to content crawlers, select Accessible to Content Crawlers.

To make the document folder inaccessible to content crawlers, clear Accessible to Content Crawlers.

Click Finish.

Assigning Moderators

Assigning Moderators to Folders

To manage the contents of a folder, you can assign a collection of users or a single user to moderate the folder. Folder moderators can approve or reject documents. Folder moderators with Admin access to the folder can edit documents before approving them. Documents in a moderated folder do not become publicly available unless approved by a moderator.

If a user has checked in changes to a document in a moderated folder, those changes are not visible until a moderator approves the changes. If a user has uploaded a document to a moderated folder, the document is not visible until a moderator approves the document.

When at least one moderator is set for a folder, that folder is marked as a moderated folder and anyone with Admin access to the folder can also act as a moderator.

When you assign moderators to a parent folder, all subfolders inherit the moderator list. If a subfolder of the parent folder already has a moderator list, the subfolder inherits changes made to the parent folder's moderator list. If all moderators are removed from a parent folder, the parent folder and all of its subfolders are no longer moderated.

When you add or remove a moderator from a folder, the moderator is subscribed to or unsubscribed from that folder.

To assign a moderator:

In the Documents application view page, right-click a folder in the navigation pane.

Click Edit Properties.

Make sure the Properties tab is selected in the Folder Editor.

Click Moderators.

In the Choose Users dialog box, select the project personnel whom you want to make moderators of this folder and click Finish.

In the Folder Editor, click Finish.

Assigning Moderators to Discussions

To manage the posting of messages in a discussion, you can assign a collection of users or a single user to moderate the discussion. Discussion moderators can approve or reject messages. Discussion moderators with Admin access to a discussion can edit messages before approving them. Messages posted in moderated discussions do not appear to users in the discussions unless approved by a moderator.

If a user has posted a message to a moderated discussion, that message is not visible until a moderator approves the message. If a user has edited a message in a moderated discussion, the changes is not visible until a moderator approves the change.

When at least one moderator is set for a discussion, that discussion is marked as a moderated discussion and anyone with Admin access to the discussion can also act as a moderator.

To assign a moderator to a discussion:

In the Discussions application view page, right-click a discussion in the navigation pane.

Click Edit.

Make sure the Properties tab is selected in the Folder Editor.

Click Moderators.

In the Choose Users dialog box, select the project personnel whom you want to make moderators of this folder and click Finish.

In the Folder Editor, click Finish.

Activity Rights

Access to certain Oracle WebCenter Collaboration functionality is managed with portal activity rights. Collaboration Administrators who have been granted the Create Activities and Delegate Activities activity right can assign the Oracle WebCenter Collaboration activity rights to users.

Oracle WebCenter Collaboration uses the following activity rights to grant access to various functionality: